Electronic control system and method having microcomputer monitoring prohibiting function

ABSTRACT

An electronic control system has a microcomputer monitoring section and an output controlling section. A microcomputer is prohibited from controlling control objects of a vehicle by a control prohibition section in the output controlling section and monitoring halting section halts the abnormality monitoring program executed by a monitoring section, when there is a heavy-load program processing request. Thus, the microcomputer executes the heavy-load program processing with reduced processing load. The abnormality monitoring is started by the monitoring section, when the processing of the heavy-load program is terminated. Further, after normal operation of the microcomputer is checked, the control system allows the microcomputer to start controlling the control objects.

CROSS REFERENCE TO RELATED APPLICATION

This application is based on and incorporates herein by referenceJapanese Patent Application No. 2004-60410 filed on Mar. 4, 2004.

FIELD OF THE INVENTION

This invention relates to an electronic control system and method whichhas a microcomputer abnormality monitoring prohibiting function.

BACKGROUND OF THE INVENTION

An electronic control system for vehicles has a function of monitoringits microcomputer forming a control system to check whether it isoperating normally in order to prevent erroneous operations of thecontrol system. This monitoring ensures safety of a vehicle. Formonitoring microcomputers, for example, a watch-dog timer system, anassignment and answer system, etc. are known.

In the watch-dog timer system, elapse of time is measured by counting aninput clock from the microcomputer, and a reset signal is generated whenthe measured time reaches an abnormality monitoring time. This resetsignal resets and restarts the microcomputer. In the assignment andanswer system, a predetermined monitoring signal (assignment) is appliedto a microcomputer for operation calculation by the microcomputer. Afterthat, it is determined whether its operation result (answer) is the sameas an operation result that should be obtained when the microcomputer isnormally operating. When the two results are different from each other,the microcomputer is determined to be in an abnormal state, and a resetsignal is generated to restart the microcomputer.

In particular, the monitoring system based on the assignment and answersystem has both an assignment sending unit for sending data formonitoring (assignment data) that is outputted to a microcomputer and ananswer determination unit that receives operation result data (answerdata) that the microcomputer performed arithmetic processing on thesignal and determines whether the operation result is correct.

In this case, the assignment sending unit sends out the assignment datathat is stored in a storage unit, such as RAM and ROM, provided in themonitoring system. The microcomputer that received the input of theassignment data performs the arithmetic processing on the assignmentdata using an arithmetic circuit of its own. The operation result isinputted into the answer determination unit provided in the monitoringsystem, and the answer data is compared with correct answer data.

When the two data coincide with each other, the microcomputer isdetermined normal. When the data do not coincide, the microcomputer isdetermined abnormal. At the same time, time elapsed before reception ofthe answer data from sending of the assignment data is counted. In thecase where the answer data is not received even after a predeterminedtime elapse, the microcomputer is determined abnormal.

When monitoring processing for monitoring normality/abnormality of amicrocomputer like this is monitoring processing of a microcomputerprovided in, for example, an electronic control system for vehicles, theassignment data starts to be transmitted immediately after an ignitionis turned on, thereby starting the normality/abnormality determinationprocessing of the microcomputer.

In recent electronic control systems for vehicles, it became more andmore likely that immediately after ignition (IG switch) is turned on,the monitoring system erroneously determines that a microcomputer isabnormal although it is normal in reality. This erroneous determinationoccurs from microcomputer's incapability of outputting an answer signalwithin a predetermined time when an assignment signal is inputted intothe microcomputer from the monitoring system. This is because, when theelectronic control system for vehicles is started just after theignition is turned on, a program for checking initial conditions ofvarious control objects of a vehicle runs, and at the same time programsof the control objects are read and written. Consequently themicrocomputer of the control system is put under an extremely heavyoperation load.

In recent years, such control objects of the control system tend toincrease in number, and the capacities of these control programs arebecoming larger. Consequently it is anticipated that the load imposed onthe microcomputer should become heavier, giving high possibility thatthe above problems are more likely to arise than before.

The above problems resulting from insufficiency of the microcomputer'sprocessing capability can be circumvented by providing the electroniccontrol system with a microcomputer having high processing performance.However, this may lead to enlargement of the control system and lack ofarrangement space. Moreover, it also leads to a higher price of avehicle that carries this system. Further, the microcomputer is requiredto have high processing performance only in limited states, such as atthe time of turning-on of the IG switch, other than normal control.Therefore, it is more preferable to use a microcomputer havingprocessing performance that matches normal control.

SUMMARY OF THE INVENTION

Therefore, it is an object of this invention to provide an electroniccontrol system and method that reduces an erroneous determination that amicrocomputer is abnormal when the microcomputer is in a heavy-loadstate immediately after the control system is activated.

According to this invention, a supervisory signal is inputted into amicrocomputer, and based on its operation result and arithmeticprocessing time, abnormality of the microcomputer is monitored. When aheavy-load program processing request signal is inputted, the controlsystem prohibits the control by the microcomputer and then haltsmonitoring of it. The heavy-load program may be a program that isrequested to be processed when the control system is in a state otherthan the normal control.

During processing of the heavy-load program, even when the microcomputeris operating correctly, the arithmetic processing takes a time andconsequently it may possibly be determined that the microcomputer isabnormal. Usually, when the microcomputer is determined abnormal, themicrocomputer will be reset and the arithmetic processing that wasperformed up to that moment will be initialized. In some cases, thearithmetic processing is restarted depending on the contents of eachcase. However, since the microcomputer is still in the same heavy-loadstate as before being reset, it is likely that the microcomputer wouldbe reset again and could not finish the arithmetic processing.

Unlike the conventional case, abnormality monitoring processing is notexecuted during processing of the heavy-load program. Consequently themicrocomputer is not reset due to an erroneous determination. Therefore,even in the heavy-load state, the microcomputer can execute continuouslythe program processing that is in progress until the program processingis completed. When the control system is not executing the abnormalitymonitoring processing of the microcomputer, the microcomputer isprohibited from controlling control objects. Therefore, even when themicrocomputer becomes abnormal during this halt of the abnormalitymonitoring, safety of the vehicle is ensured.

Here, the microcomputer state other than the normal control that weredetermined in advance means a state at the moment when a program in thestorage unit of the microcomputer is overwritten, especially,immediately after the microcomputer received a start request, in adevelopment phase of the control system, and the like. For example, whenthe control system is a control system for vehicles, the state includesa state at the moment when the ignition of a vehicle is turned on, themoment when a program stored in a storage unit of an in-vehiclemicrocomputer is overwritten by a vehicle manufacturer, etc.

Immediately after the ignition of a vehicle is turned on, followingprocesses are executed in parallel: reading of a control program forcontrolling the control objects, system check to check initial settingsof the control objects, initial settings of the control objects, etc. Inaddition, when a program for controlling a vehicle stored in the storageunit of the microcomputer is overwritten, a large amount of program datais inputted by communication from the outside and is written in thestorage unit. Under such situations, the load imposed on themicrocomputer is extremely heavy, and consequently its processing speedbecomes slow, which may result in an erroneous determination.

According to this invention, a program that should be processed underthese situations is specified in advance. When there arises a requestfor requesting the processing of that program, the abnormalitymonitoring processing can be halted, whereby an erroneous determinationcan be prevented. The heavy-load programs include any program that mustbe processed in the heavy-load state of the microcomputer predictable inadvance, such as immediately after activation of the microcomputer andat a time of overwriting the programs.

Therefore, the electronic control system may be a control system whosestate other than the normal control is an initial control state in whichthe microcomputer executes the control immediately after ignition startof the vehicle. Moreover, the control system may be a control systemcharacterized in that the heavy-load program is in a control state inwhich a program stored in the storage unit of the microcomputer isoverwritten at the time of vehicle stop.

Furthermore, a signal for monitoring (supervisory signal) is inputtedinto the microcomputer, and the control system executes abnormalitymonitoring of the microcomputer based on its operation result andarithmetic processing time. Here, the operation result of themicrocomputer is operation result data that is obtained by themicrocomputer performing the arithmetic processing on the supervisorysignal. The arithmetic processing time is a time that reflects a timeelapsed from the moment when monitoring means inputs the supervisorysignal into the microcomputer until the monitoring means obtainsoperation result data of it.

At this time, it is possible to prevent the erroneous determination bylengthening this monitoring processing time. However, in considerationof safety control of the vehicle, it is preferable that the arithmeticprocessing time is set on the basis of arithmetic processing time in thenormal control state. An abnormality monitoring halt state is defined asan exceptional state separately from the normal control state, theabnormality monitoring halt state can be set without relaxing theabnormality monitoring conditions under the normal control state.

When the microcomputer is in a state other than the normal control, andthere is a heavy-load program processing request, the control systemhalts the abnormality monitoring of the microcomputer and prohibits themicrocomputer from controlling the control objects. When themicrocomputer is in a state of processing the heavy-load program asdescribed above, the control system does not execute the abnormalitymonitoring.

By this procedure, erroneous determinations resulting from heavyprocessing load can be prevented. In a state where such abnormalitymonitoring is not executed, it is impossible to determine whether themicrocomputer is operating normally. It cannot be guaranteed that themicrocomputer is functioning correctly. Therefore, when the abnormalitymonitoring is not being executed, it can be made that the erroneoussignal is not inputted into the control objects by prohibiting themicrocomputer from controlling the various control objects.

The operation result determination processing is halted in response toan input of the heavy-load program processing request signal. Output ofthe supervisory signal is halted in response to an input of theheavy-load program processing request signal. The both processes may beexecuted simultaneously. Thus, signal processing when the monitoring isbeing halted is unnecessary. Therefore halt of output of the supervisorysignal and halt of operation result determination processing areeffective because they do not impose an extra load on the microcomputer.

The heavy-load program processing request signal is output in responseto a processing request signal for requesting the processing of theheavy-load program that is outputted from the outside of themicrocomputer. Since it is only required that the heavy-load programprocessing request signal is output to the microcomputer and a controlprohibiting section, the request signal may be output either in theinside or the outside of the microcomputer.

For example, in the case where the monitoring is halted by turning onthe IG in the control system for vehicles, the control system may beconfigured so that the ON signal from the IG switch can be inputteddirectly into the monitoring section and the control prohibitingsection, respectively. At this time, the monitoring section and thecontrol prohibiting section infer that the processing of thepredetermined heavy-load program of the microcomputer has been started,and can prohibit the microcomputer from controlling the control objectsand halt the abnormality monitoring processing.

The control prohibiting section may be a circuit that is provided in anoutput control system electrically connected to the microcomputer andthe control objects in order to prohibit the microcomputer fromcontrolling the control objects.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects, features and advantages of the presentinvention will become more apparent from the following detaileddescription made with reference to the accompanying drawings. In thedrawings:

FIG. 1 is a block diagram showing an electronic control system accordingto an embodiment of this invention;

FIG. 2 is a flowchart showing a first example of microcomputermonitoring halt processing executed in the control system shown in FIG.1;

FIG. 3 is a flowchart showing a second example of microcomputermonitoring halt processing executed in the control system shown in FIG.1; and

FIG. 4 is a flowchart showing a third example of microcomputermonitoring halt processing executed in the control system shown in FIG.1.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Referring to FIG. 1, an electronic control system is comprised of amicrocomputer 20 for outputting control signals for various in-vehicledevices (control objects) 40, a monitoring block 1 for monitoringoperations of the microcomputer 20, and an output control block (outputdriver) 24 that receives a control signal from the microcomputer 20 andactually controls the various in-vehicle devices 40.

The microcomputer 20 includes a CPU 21, a ROM 22, a RAM 23, 10 ports,etc. and outputs control signals for the in-vehicle devices 40 to theoutput driver 24 based on various programs stored in a storage unit ofROM 22, RAM 23, etc. Control signals that control the in-vehicle devices40 are generated by the CPU 21 in the microcomputer 20. The CPU 21 is anarithmetic circuit in the microcomputer 20.

The microcomputer 20 is activated or started with turning-on of anignition switch (IG switch) 30, and a heavy-load program processingrequest unit 31 that received the ON signal of the IG switch outputs aheavy-load program processing request signal to the microcomputer 20concurrently with the activation. Consequently the start-up program isread from the storage unit and executed. The microcomputer 20specifically reads various programs for controlling the in-vehicledevices 40 etc., and starts to control the in-vehicle devices 40. Whenthis start-up program is executed, processing of system check forchecking the initial state, initial settings for controlling the variouscontrol objects, and the like is executed. Upon completion of theseprocesses, the start-up program is terminated and the control in thenormal running state is started.

At the time of the start-up processing of this microcomputer 20, themicrocomputer 20 (also performing monitoring halting) outputs to themonitoring block 1 an assignment answer inhibit signal. This inhibitsignal is output in response to a signal from the heavy-load programprocessing request unit 31 for halting the monitoring processingexecuted by the monitoring block 1.

In this case, the monitoring block 1 is configured to receive an inputof the assignment answer inhibit signal from the microcomputer 20.Alternatively, the input of the assignment answer inhibit signal may bedirectly received from other devices such as the ignition switch 30etc., bypassing the microcomputer 20.

The monitoring block 1 is connected to the microcomputer 20 through aserial communication unit 2 which is capable of serial communication.The monitoring block 1 sends assignment data (ASGN) of a predeterminednumber of bits to the microcomputer 20 as a supervisory or monitorsignal to make the arithmetic circuit of the microcomputer 20 performarithmetic processing.

The monitoring block 1 receives the operation result as answer data(ANSR) to determine whether the answer data is correct. The monitoringblock 1 thereby monitors the microcomputer 20 to determine whether it isin an abnormal state. It is noted that, in parallel to microcomputermonitoring of this assignment and answer system, microcomputermonitoring of a conventional watchdog timer system may be executedsimultaneously.

An assignment data selection unit 3 uses a counter circuit to createassignment data, and transmits this to the microcomputer 20. At thistime, the assignment data is read in synchronization with a system clockof the microcomputer 20, and the read assignment data is transmitted tothe microcomputer 20 sequentially through the serial communication unit2 by serial communication.

The microcomputer 20 performs the arithmetic processing on thisassignment data, and transmits an operation or calculation result to acomparison determination unit 4 as answer data by serial communication.This arithmetic circuit assumes such complex processing as cannot beprocessed when the microcomputer 20 is abnormal, so that the assignmentdata is realized by a simple circuit that uses the counter circuit.

The comparison determination unit 4 executes a comparison operation ofthe answer data received in synchronization with the predetermined clockperiod of the microcomputer 20 and model or reference data (correctanswer data) for the answer data. It determines the answer data as acorrect answer when both data coincide with each other. It alsodetermines the answer as an incorrect answer when not in coincidence.

When the answer data is determined incorrect (NG), the comparisondetermination unit 4 outputs a logical high-level signal (H signal) toan NG determination unit 5. When the answer data is determined correct(OK), the comparison determination unit 4 outputs a logical low-levelsignal (L signal) to the NG determination unit 5. Each of the assignmentdata, the answer data, and the correct answer data is a digital data ofa predetermined number of bits.

When the comparison determination unit 4 outputs the H signal to the NGdetermination unit 5, the assignment data selection unit 3 will receivean input of the L signal through an inverter 10. The assignment dataselection unit 3 made up of counter circuits counts the number of Hsignals (assignment renewal signal) of input signals.

The assignment data selection unit 3 alters the assignment data to betransmitted to the microcomputer 20 according to the increases in thenumber of counts in the counter, and transmits the assignment datadifferent from hitherto transmitted assignment data (data created byadding 1 to the previous assignment data). It is noted that, theassignment data may not be renewed until the NG determination is made upto a predetermined number (e.g., three times). Alternatively, theassignment data may be renewed each time the NG determination is made.

The NG determination unit 5 receives an input of the H signal when thedetermination result is NG in the comparison determination unit 4. Thecomparison determination processing is repeatedly executed. However, inthe case where results of the comparison determination processing show apredetermined number of consecutive NGs (for example, a case where threeconsecutive NGs are produced), the NG determination unit 5 determinesthat the microcomputer 20 is in an NG state (abnormal state) and keepsoutputting the H signal to an OR circuit 11 until the NG determinationunit 5 receives an input of a reset signal. When a determination is OK,the NG determination unit 5 outputs the L signal.

An answer renewal check unit 6 is configured to include a counter timer,and measures a time elapsed from a moment when the comparisondetermination unit 4 receives the answer data to a moment when itreceives the next answer data including an arithmetic processing time ofthe microcomputer 20. When this renewal time exceeds the predeterminedtime (for example, 30 ms), the answer renewal check unit 6 determinesthe microcomputer 20 to be in an NG state (abnormal condition), andkeeps outputting the H signal until the NG determination unit 5 receivesan input of the reset signal. When a determination is OK, the answerrenewal check unit 6 outputs the L signal.

The output signals from the NG determination unit 5 and from the answerrenewal check unit 6 are inputted into the OR circuit 11. When eitherunit inputs the NG signal, i.e., the H signal, into the OR circuit 11,the OR circuit 11 outputs the H signal to a rest pulse generationcircuit 7. The reset pulse generation circuit 7 converts the inputted Hsignal into a pulse signal of a predetermined width, and outputs thissignal to an OR circuit 12 and an inverter 13. In the case where both ofthe NG determination unit 5 and the answer renewal check unit 6 outputthe L signal, that is, the both units make OK determinations, the resetpulse generation circuit 7 does not generate the pulse signal.

When the reset pulse generation circuit 7 generates the resent pulsesignal, the pulse signal is inputted into the OR circuit 12. At thistime, the OR circuit 12 receives an input of the L signal from themicrocomputer 20 when the microcomputer 20 is executing the normalcontrol. Therefore, from the OR circuit 12, the pulse signal isoutputted to the assignment data selection unit 3, the NG determinationunit 5, and the answer renewal check unit 6, respectively. Thus, each ofthese three units is reset and initialized in response to an input ofthe pulse signal of the H level.

Moreover, when the reset pulse generation circuit 7 generates the resetpulse signal, the same pulse signal is inputted into the inverter 13.The inverter 13 reverses this pulse signal and outputs the reversedpulse signal to the microcomputer 20. Thus, the microcomputer 20 isreset and initialized in response to the signal of the L level that isthe reversed pulse signal. As a result, the monitoring block 1 and themicrocomputer 20 in which abnormality has occurred are reset andinitialized.

However, there is no guarantee that the microcomputer 20 necessarilyreturns to and recovers its normal state from an abnormal state by thereset. Therefore, in this control system, a control prohibition circuitprohibits the microcomputer 20 from controlling the control objectsuntil the abnormality monitoring section can check the normal operationof the microcomputer 20. In the case of the microcomputer 20 in FIG. 1,since the microcomputer 20 controls a vehicle, the control of thein-vehicle devices 40 will be halted.

For example, when the microcomputer 20 in FIG. 1 is controlling apower-assisted motor of an electric power steering device as a controlobject, the control of the motor will be halted. Therefore, a driverwill execute handle operations without power assistance by the motorafter this halt. Further, when the microcomputer 20 is controlling abrake hydraulic control of ABS equipment as a control object, the brakehydraulic control will be halted and the user will execute normal brakeoperations.

Even when these vehicular controls are halted, it causes no problem inrunning the vehicle. Usually, in the case of any abnormality of thevehicular control system like this, it is configured to work on a safetyside. The output driver unit 24 also control in a fail-safe mode.

When the electronic control system for vehicles is in a state other thanthe normal control, that is, the microcomputer 20 is in a normal statebut in a heavy-load state, processing capacity of the microcomputer 20will be lowered. Further, a time from reception of the assignment datato transmission of the answer data in the monitoring processing willbecome longer. Consequently the microcomputer 20 will receive an NGdetermination by the answer renewal check unit 6. In this case, althoughthe microcomputer 20 is operating normally, the microcomputer 20 is restand the control system will not control the in-vehicle devices 40 afterthat.

Therefore, in this embodiment, regarding immediately after the IG switch30 is turned on, the control system is configured so as to halt theabnormality monitoring processing executed by the monitoring block 1 andto allow the control prohibition circuit to block out an output from themicrocomputer 20 to the in-vehicle devices 40 in order that thein-vehicle devices 40 would not be controlled in a state where amonitoring function is not working. A control prohibition circuit 25 forprohibiting the microcomputer 20 from controlling the control objectslike this may be installed in the output control system, as in FIG. 1.Alternatively the circuit may be configured to be as an independentcircuit outside the output control system.

The monitoring block 1 executes the monitoring halt processing asfollows for halting monitoring the microcomputer 20. In the electroniccontrol system for vehicles, the heavy-load program processing requestunit 31 outputs a signal for requesting the processing of the start-upprogram to the microcomputer 20 when the IG switch 30 is turned on.Consequently the microcomputer 20 transmits the assignment answerinhibit signal (monitoring inhibit signal) to the monitoring block 1.

The assignment answer inhibit signal is transmitted to the OR circuit 12through the serial communication unit 2 as a H signal. When this Hsignal as the assignment answer inhibit signal is inputted into the ORcircuit 12, the OR circuit 12 will output the H signal to the assignmentdata selection unit 3, the NG determination unit 5, and the answerrenewal check unit 6, keeping these three units in their reset statesall the time. Thus, the monitoring of the microcomputer 20 by themonitoring block 1 is halted.

In this case, it is not necessary to halt all the three units. Forexample, the circuit may be configured so that the NG determination unit5 and the answer renewal check unit 6 are always kept in a reset state,and even when the assignment data selection unit 3 sends the assignmentdata to the microcomputer 20, the NG determination is not executed onanswer data of it.

In this case, since the signals outputted from the NG determination unit5 and from the answer renewal check unit 6 are always the L signal, andtherefore the reset pulse generation circuit 7 does not generate a resetpulse signal, and the microcomputer 20 will not be reset. In this case,only circuits a and b are needed and a circuit c is unnecessary.

Hereafter, regarding the abnormality monitoring halt processing of theelectronic control system for vehicles, a flow for executing theprocessing will be described. FIG. 2 is a flowchart of the microcomputerhalt processing in response to an event of the turning-on of the IGswitch 30.

In step 101, it is determined whether a start-up (activation) request ofthe microcomputer 20 is issued. When the heavy-load program processingrequest unit 31 (heavy-load program processing requesting section)detects the ON signal of the IG switch 30, the processing proceeds tostep 102 in order to output the start-up request signal to themicrocomputer 20. Conversely, when the IG switch continues to be off (nostart-up request), the flow returns to step 101 again.

In step 102, a control prohibition circuit 25 prohibits themicrocomputer 20 from controlling the various in-vehicle devices 40.Control signals to the in-vehicle devices 40 may be blocked using, forexample, a switch circuit. In step 103, the microcomputer abnormalitymonitoring processing by the monitoring block 1 is halted. Because ofthis, in the case where the microcomputer 20 is not being monitored forits abnormality by the monitoring halt processing in step 103, thein-vehicle devices 40 is not controlled by the microcomputer 20 at all.

Halt of the microcomputer monitoring processing in step 103 is done bybeing triggered by an input of the assignment answer inhibit signal thatthe microcomputer 20 transmitted to the OR circuit 12 of the monitoringblock 1. The assignment answer inhibit signal is not necessarilyrequired to be outputted from the microcomputer 20. In this case, thecontrol system may be configured so that the monitoring block 1 receivesan input of the H signal directly from the IG switch 30, bypassing themicrocomputer 20.

In step 104, the start-up processing is started in response to an eventthat the microcomputer monitoring is halted in step 103. In step 105, itis determined whether the start-up processing is completed. When it isterminated, the processing proceeds to step 106. By the termination ofthe start-up processing, the microcomputer 20 is put under a loadroughly equal to a load when the vehicle is normally running, notbearing as heavy a load as when being activated.

In step 106, in response to an event that the microcomputer 20 hasbecome in a control state of normal running, the control system startsthe monitoring processing. In step 107, in response to an event that themicrocomputer 20 has become in a monitoring state by the monitoringblock 1, the control system removes the control prohibition state laidon the microcomputer 20 by the control prohibition circuit 25, allowsthe microcomputer 20 to start to control the various in-vehicle devices40, and terminates this processing.

It is noted that the microcomputer monitoring halt processing in FIG. 2is not applied only at a time when the microcomputer 20 is put under aheavy load immediately after the turning-on of the IG switch of thevehicle. For example, when programs stored in ROM 22 and RAM 23 of themicrocomputer 20 are being overwritten in a vehicle maker, themicrocomputer 20 is put under a heavy load, as at the time of turning-onof the IG switch 30, and its processing speed is lowered.

In this case, microcomputer monitoring halt processing can be executedas shown in a flowchart shown in FIG. 3.

In step 201 in FIG. 3, it is determined whether the microcomputer 20received a program writing request (a kind of heavy-load programprocessing requests). The writing request can request processing of aprogram overwriting program by sending a signal, for example, from theoutside that urges the heavy-load program processing request unit 31 totransfer to a program overwriting mode and making the said request unit31 input a program overwrite processing request signal (a kind of thesignal of requesting the heavy-load program processing) into themicrocomputer 20.

When there is a writing request in step 201, the processing proceedsfrom step 202 to step 203. When there is no writing request, theprocessing ends. In step 202 and step 203, as in step 102 and step 103in FIG. 2, the microcomputer 20 is prohibited from controlling thevarious in-vehicle devices 40 and subsequently the microcomputermonitoring is halted. After checking these halts, in step 204,processing of writing the program into the storage unit of themicrocomputer 20 is started.

When the write processing is terminated, the processing proceeds fromstep 205 to steps 206 and 207, where the microcomputer monitoring isstarted as in steps 106 and 107, the microcomputer 20 starts to controlthe various in-vehicle devices 40, and this program is terminated. Inaddition, this processing can be executed from a state where themicrocomputer monitoring has already been started. This is executedafter checking whether the microcomputer 20 is in the programoverwriting mode that is allowed only when the vehicle is not in normalrunning.

The processing may be one that determines whether there is a programoverwriting request to the microcomputer 20 in FIG. 3 immediately afterthe IG switch 30 in FIG. 1 is turned on. FIG. 4 shows a flowchart inthis case.

In step 301 in FIG. 4, as in step 101, it is determined whether there isa start-up request to the microcomputer 20 that accompanies turning-onof the IG switch 30. When the start-up is requested, processing fromstep 302 to step 305 is executed. When there is no start-up request, theprocessing proceeds to step 306. The processing from step 302 to step305 is identical to that of steps 102-105 in FIG. 2. After the start-upprocessing is terminated in step 305, the processing proceeds to step306.

In step 306, it is determined whether the program writing is requestedto the microcomputer 20. When there is the request, processing from step307 to step 310 is executed. When there is no such a request, theprocessing proceeds to step 311. The processing from step 307 to step310 is identical to that of steps 202-205 in FIG. 3. When the processingof writing the program into the microcomputer 20 is terminated in step310, the microcomputer monitoring is started in step 311, and themicrocomputer 20 starts to control the various in-vehicle devices instep 312.

This invention is not limited to these embodiments. Variousmodifications and variations can be made to this invention withoutdeparting from the technical scope based on the description of theappended claims.

1. An electronic control system comprising: a microcomputer thatgenerates a control signal for controlling control objects based on acontrol program stored in storage means; monitoring means that executesabnormality monitoring processing for monitoring the microcomputer tocheck whether the microcomputer is normal; heavy-load program processingrequesting means for outputting a heavy-load program processing requestsignal that requests the microcomputer to process a predeterminedheavy-load program stored in the storage means when the microcomputer isin a state other than a predetermined normal control; monitoring haltingmeans for making the monitoring means halt the abnormality monitoringprocessing in response to an input of the heavy-load program processingrequest signal; and control prohibiting means for halting the controlobjects on a safe side by blocking out the control signal of themicrocomputer so as not to be transmitted to the control objects inresponse to an input of the heavy-load program processing request signalwhen the abnormality monitoring processing is halted by the monitoringhalting means.
 2. The electronic control system according to claim 1,wherein the control prohibiting means prohibits the microcomputer fromcontrolling the control objects and the monitoring halting means haltsthe abnormality monitoring processing executed by the monitoring means,when the heavy-load program processing requesting means issues theheavy-load program processing request to the microcomputer, andsubsequently the microcomputer executes the heavy-load programprocessing.
 3. The electronic control system according to claim 1,wherein the normal operation of the microcomputer is checked when theheavy-load program processing is terminated, and subsequently thecontrol prohibiting means cancels control prohibition laid on control ofthe control objects by the microcomputer allowing the microcomputer toresume the control of the control objects and the monitoring means toresume the abnormality monitoring processing of the microcomputer. 4.The electronic control system according to claim 1, wherein themonitoring means executes the abnormality monitoring processing byoutputting a predetermined supervisory signal to the microcomputer,making the microcomputer perform arithmetic processing, and determiningwhether the microcomputer operates normally based on an operation resultand arithmetic processing time.
 5. The electronic control systemaccording to claim 1, wherein the monitoring means halts the operationresult determination processing in response to the heavy-load programprocessing request signal.
 6. The electronic control system according toclaim 1, wherein the monitoring means halts the output of thesupervisory signal in response to an input of the heavy-load programprocessing request signal.
 7. The electronic control system according toclaim 1, wherein the heavy-load program processing requesting meansissues the heavy-load program processing request signal in response to aprocessing request signal for requesting the processing of theheavy-load program that is outputted from an outside of themicrocomputer to the microcomputer.
 8. The electronic control systemaccording to claim 1, wherein the control prohibiting means is a circuitelectrically connected to the microcomputer and the control objects inorder to prohibit the microcomputer from controlling the controlobjects.
 9. The electronic control system according to claim 1, whereinthe control objects are provided in a vehicle, and a state other thanthe normal control is an initial control state where the control isexecuted by the microcomputer immediately after ignition start of thevehicle.
 10. The electronic control system according to claim 1, whereinthe control objects are provided in a vehicle, and the heavy-loadprogram is in a state where a program stored in the storage means of themicrocomputer is overwritten at a time of vehicle stop.
 11. Anelectronic control method comprising: operating a microcomputer thatgenerates a control signal for controlling control objects based on acontrol program stored in storage means; monitoring. a microcomputeroperation to check whether the microcomputer is normal by outputting apredetermined supervisory signal to the microcomputer and making themicrocomputer perform arithmetic processing in response to thepredetermined supervisory signal; checking whether the microcomputer isin a predetermined state that corresponds to a heavy-load programprocessing state other than a predetermined normal control state; andhalting the monitoring step when the microcomputer is determined to bein the predetermined state.
 12. The electronic control method accordingto claim 11, wherein the predetermined state includes a start-up of theoperation of the microcomputer by turning on an ignition switch of avehicle.
 13. The electronic control method according to claim 11,wherein the predetermined state includes a program writing operation ofthe microcomputer.